views:

16

answers:

0

Hello.

Most CAs are selling code signing certificates in different "products", like Verisign or Certum:

  • Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..."

  • Java CodeSign - "Allows you to sign Java code"

  • Software Publisher Certificate - "Allows you to sign software"

Well, I am REALLY confused about this. What is the difference between all these products - except the PRICE? I asked Verisign and other CAs a few times since I am curious, but got no answer.

I got a Authenticode certificate from Certum CA. I enrolled it in Internet Explorer, exported it as PKCS#12 PFX and could sign EXE, DLL, ... as promised.

Now... I tried to import this PFX into Java with keytool, then I tried to sign a JAR. And it worked!

And then there is the mysterious "Software Publisher certificate" as product. I don't know what I can/should sign with that... Mac? Linux? Isn't "Microsoft Authenticode" a Software publisher certificate too? Isn't a EXE "software"? That really confuses me.

So, my question is now: When I have ordered a Microsoft Authenticode cert, is it then illegal to use it to sign e.g. JAR files or if possible any other content? There seems to be no technical difference between these certificates. All of those products should have the same codesigning EKU-OID "1.3.6.1.5.5.7.3.3", which does not make any differences between EXE, JAR, Adobe Air and what the hell also exists around there. So, if all "CodeSigning" certificates are technically equal, why do I have to decide then if I want to be a "Java Developer" or "Windows Developer" or "Software Developer"?

Maybe there are still differences in the certificate? Maybe I get not enough rights in JARs when I use Authenticode-certs for signing?

(PS: I do not use my software commercially!)

Regards Daniel Marschall